On 20/11/2008, at 11:05 AM, Jack Bates wrote:
Nathan Ward wrote:
The problem here is XPSP2/Vista assuming that non-RFC1918 =
unfiltered/unNATed for the purposes of 6to4.
Well, deeper problem is that they're using 6to4 on an end host I
suppose - it's supposed to be used on routers.
While I don't doubt that the 6to4 is broken in such circumstances,
how many IPv6 content providers are using 6to4 addressing and not
2001:: addressing? 6to4 by default on xp and vista, in my
experience, is only used if a) talking to another 6to4 address or b)
there is no IPv4 address available.
IPv6 will be used in preference to IPv4 if it is available. If 6to4 is
the only IPv6 connectivity then it will be used. See RFC3484.
Preference of IPv4 is 10, 6to4 is 30.
Things are a bit different with Teredo.. In Vista, if Teredo is the
only IPv6 connectivity available, WSAConnectByName will not send
queries for AAAA - obviously Teredo can still be used if the
application does its own name resolution and opens sockets by INET6
address, not name.
This Teredo behaviour is not documented in an RFC anywhere I don't
believe, it is Windows specific.
6to4 never seemed like a viable method for content providing, though
its use at the eyeball layer is somewhat iffy given that it's
primary use is for other 6to4 addresses. If prefix policies are
altered to use it for 2001:: addressing, problems start arising
quickly.
Right, so, because of how RFC3484 works the above is largely invalid.
Because of RFC3484, putting 6to4 addresses on content is actually
quite a good idea. It means that hosts with 6to4 connectivity only
will not have to go via an RFC3068 (192.88.99.1) relay - they will go
direct over an IPv4 best path between their 6to4 router and yours.
This works best if RFC3484 is widely deployed - it is, however it does
not exist on OS X. Because of this, if you do this you may find OS X
clients visiting your content on a 6to4 address when they have native
connectivity, or vice versa.
So.. stuff to play with, and please go encourage Apple to do RFC3484
if you are a big customer of theirs.
A good example is that traceroutes through my he.net tunnel using
6to4 source addresses do not get replies through he.net's network,
presumably due to their routers not being 6to4 aware and having no
route to respond. Responses pick up again after picking up a network
such as NTT that is 6to4 aware. My 2001:: addressing works just fine
the entire route.
No, he.net does not have a 6to4 relay. If they did it would be used by
a very large number of networks as he.net is fairly well peered.
Because of that, the traffic would be quite high, and any relay
deployment there would have to be managed quite carefully.
I'm sure there's quite a few networks that aren't 6to4 aware,
hindering 6to4 connectivity to non-6to4 addresses.
6to4 does not require networks to be 6to4 aware - the Internet has
many public 6to4 relays available.
Note though that most end user IPv6 hosts have a 6to4 relay within 3
IPv6 hops. This is easy to calculate - throw up an AAAA pointing only
to a 2002::/16 address, and look at the HLIM of the IPv6 header (not
the IPv4 header). You will see that it is generally between 124 and
128, or 60 and 64.
(Some hosts start at 128, some 64. Few start at much else it seems.)
I did some work looking at IPv6 adoption using Bittorrent DHT to talk
to large numbers of peers without downloading any content, this was
one of the interesting points that fell out of that work.
Content providers wanting to put AAAA records on things should run
6to4 relays until IPv4-only networks are a thing of the past. If they
don't, they'll have to rely on third party relays that might not work.
--
Nathan Ward